AzRoleAdvertizer

last sync: 2024-Sep-19 17:51:49 UTC

Defender for Storage Scanner Operator

Azure BuiltIn RBAC Role definition

NameDefender for Storage Scanner Operator
Id0f641de8-0b88-4198-bdef-bd8b45ceba96
DescriptionLets you enable and configure Microsoft Defender for Storage's malware scanning and sensitive data discovery features on your storage accounts. Includes an ABAC condition to limit role assignments.
CreatedOn2023-11-13 16:11:26 UTC
UpdatedOn2024-07-01 15:03:42 UTC
History
Date/Time (UTC ymd) (i) Change Change detail
2024-07-01 18:19:32 change: Actions Actions: 'add Microsoft.Security/advancedThreatProtectionSettings/read; add Microsoft.Security/advancedThreatProtectionSettings/write; add Microsoft.Security/datascanners/read; add Microsoft.Security/datascanners/write; add Microsoft.Security/dataScanners/delete'
2024-04-30 17:48:19 add: Role 0f641de8-0b88-4198-bdef-bd8b45ceba96
Permissions summary Effective control plane and data plane operations: 64 (unique operations)
•action: 7
•delete: 4
•read: 45
•write: 8

Actions: 22
Resolved control plane operations from Actions: 64
Effective control plane operations: 64
•action: 7
•delete: 4
•read: 45
•write: 8

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 15731

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3259
Actions
Operation Description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.Authorization/roleAssignments/delete conditionedDelete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write conditionedCreate a role assignment at the specified scope.
Microsoft.EventGrid/eventSubscriptions/deleteDelete a eventSubscription
Microsoft.EventGrid/eventSubscriptions/readRead a eventSubscription
Microsoft.EventGrid/eventSubscriptions/writeCreate or update a eventSubscription
Microsoft.EventGrid/topics/readRead a topic
Microsoft.Management/managementGroups/readList management groups for the authenticated user.
Microsoft.Resources/deployments/*wildcarded / no description
Microsoft.Resources/deployments/*wildcarded / no description
Microsoft.Resources/subscriptions/readGets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/readGets or lists resource groups.
Microsoft.Security/advancedThreatProtectionSettings/readGets the Advanced Threat Protection Settings for the resource
Microsoft.Security/advancedThreatProtectionSettings/writeUpdates the Advanced Threat Protection Settings for the resource
Microsoft.Security/dataScanners/deleteDeletes the datascanners for the scope
Microsoft.Security/datascanners/readGets the datascanners for the scope
Microsoft.Security/datascanners/writeCreates or updates the datascanners for the scope
Microsoft.Security/defenderforstoragesettings/readGets the defenderforstoragesettings for the scope
Microsoft.Security/defenderforstoragesettings/writeCreates or updates the defenderforstoragesettings for the scope
Microsoft.Storage/storageAccounts/readReturns the list of storage accounts or gets the properties for the specified storage account.
Microsoft.Storage/storageAccounts/writeCreates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account.
Microsoft.Support/*wildcarded / no description
NotActions n/a
DataActions n/a
NotDataActions n/a
Used in
BuiltIn Policy		 none
JSON
api-version=2023-07-01-preview
Condition

    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/write'
                }
            )
        )
        OR
        (
            @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 (Defender for Storage Data Scanner),
            d5a91429-5739-47e2-a06b-3470a27159e7 (EventGrid Data Sender)
            }
        )
    )
    AND
    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/delete'
                }
            )
        )
        OR
        (
            @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 (Defender for Storage Data Scanner),
            d5a91429-5739-47e2-a06b-3470a27159e7 (EventGrid Data Sender)
            }
        )
    )